Wednesday, August 03, 2011

White-hats are on the side of law, but not order

This post to a "white-hat hacker" mailing lists asks for volunteers in training law enforcement officers. The author of the post is under the misapprehension that just because white-hats are on the side of law that they are on the side of law enforcement. That's not true.

The issue is not "law" but "order". Police believe their job is not just to enforce the law but also to maintain order. White-hats are disruptive. While they are on the same side of the "law", they are on opposite sides of "order".

During the J. Edgar Hoover era, the FBI investigated and wiretapped anybody deemed a troublemaker, from Einstein to Martin Luther King. White-hats aren't as noble as MLK, but neither are white-hats anarchists who cause disruption for disruption's sake. White-hats believe that cybersecurity research is like speech: short term disruption for long term benefits to society.

I have personal experience with this. In 2007, I gave a speech at the biggest white-hat conference. It was nothing special, about reverse engineering to find problems in a security product. Two days before the speech, FBI agents showed up at my office and threatened me in order to get me to stop the talk, on (false) grounds of national security. Specifically, the agents threatened to taint my FBI file so that I could never pass a background check, and thus never work for the government again. I respond poorly to threats, so I gave the talk anyway.

I point this out because it so aptly proves my point. I am not on the side of law enforcement, because law enforcement has put me on the other side. One of the requirements (from the above post) to volunteer is to pass a background check -- a check that I can no longer pass (in theory). I cannot volunteer to train law enforcement because they perceive me as the enemy.

Other examples are the way law enforcement goes after "grey-hat" hackers who may technically violate the law, but who are not involved in cybercrime. They are prosecuted because they cause trouble, not because they cause financial losses.

A prime example of this is "weev", who was arrested for hacking into AT&T and stealing identity information for early iPad owners. Except he didn't hack AT&T. The problem was that AT&T made the information public on their website. Weev just downloaded it. Okay, it was a bit more complicated than that. He had to write a custom script to download the information. But while it was more complicated than simply clicking on a link, it was a far cry from breaking into the machine. It's a grey area, open to interpretation about what, precisely, constitutes hacking. Since weev so greatly embarrassed AT&T, that grey area was shifted against him. But that embarrassment served a purpose. It closers an obvious hole that could've been exploited by black-hat hackers, and it created a way of teaching about a common problem to prevent others from making that mistake in the future.

Not all "grey-hats" are useful. The hacktivists like Anonymous and LulzSec are more like terrorists than activists, who use intimidation to pursue their political goals. Law enforcement cannot appreciate the difference between "embarrassment" that serves a purpose, and "intimidation" that does not.

I've spent 15 years working with law enforcement. I know that the fascists that tried to intimidate me were a rare exception and not the rule. But that doesn't matter -- even the good guys are passive when their fellow law enforcement officers abuse their positions. The FBI is one big group-think; nobody is willing to harm their career by not appearing to be a team player. When one "bad apple" goes after a white-hat, none of the vast majority of "good apples" are going to stand up and oppose him. It's often portrayed in television and movies that officers band together in order to oppose "internal affairs" who investigate abuse by officers -- that effect is real, and wrong.

Thus, despite upholding the law, we white-hats still oppose law enforcement, who often see us as the enemy. The person we train today in digital forensics might be the person tomorrow who serves us with a warrant to confiscate our hard drives.

Nick has a great response here http://nickselby.com/articles/technology/index.htm?a=1820. I think his best point is that it works both ways: cops fear what they don't understand, which sometimes leads them to act like thugs toward white-hats. I can confirm this: even though I tried to use the simplest, non-jargon terms when talking to those FBI agents who were trying to intimidate, clearly I intimidated them with superior knowledge. At one point, they mentioned "we don't have a Ph.D. in security like you guys".